ALAS2023-2025-1094

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1094
Advisory Released Date: 2025-08-08
Advisory Updated Date: 2025-08-08

Severity: Important

References: CVE-2025-52434 CVE-2025-52520 CVE-2025-53506
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.

This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 9.0.107, which fixes the issue. (CVE-2025-52434)

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. (CVE-2025-52520)

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. (CVE-2025-53506)

Affected Packages:

tomcat9

Issue Correction:
Run dnf update tomcat9 --releasever 2023.8.20250808 or dnf update --advisory ALAS2023-2025-1094 --releasever 2023.8.20250808 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

noarch:
    tomcat9-9.0.107-1.amzn2023.0.1.noarch
    tomcat9-el-3.0-api-9.0.107-1.amzn2023.0.1.noarch
    tomcat9-webapps-9.0.107-1.amzn2023.0.1.noarch
    tomcat9-docs-webapp-9.0.107-1.amzn2023.0.1.noarch
    tomcat9-admin-webapps-9.0.107-1.amzn2023.0.1.noarch
    tomcat9-jsp-2.3-api-9.0.107-1.amzn2023.0.1.noarch
    tomcat9-servlet-4.0-api-9.0.107-1.amzn2023.0.1.noarch
    tomcat9-lib-9.0.107-1.amzn2023.0.1.noarch

src:
    tomcat9-9.0.107-1.amzn2023.0.1.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-52434, CVE-2025-52520, CVE-2025-53506

Mitre: CVE-2025-52434, CVE-2025-52520, CVE-2025-53506